Microsoft GDI+ JPEG Integer Underflow Vulnerability

•Als ODP, PDF herunterladen•

0 gefällt mir•3,659 views

This presentation is about what buffer overflows are, what heap overflows are and how they are exploited. Specifically, focus is on how this is used to exploit jpeg images im Microsoft Windows Systems.

Technologie

Principles Of Secure Coding

JPEG Integer Underflow
Microsoft Security Bulletin MS04-028

Ashish Malik
1731110017

Microsoft JPEG Vulnerability

Jpeg's themselves are not the problem however. Problem lies in
the application that reads this information and displays the
pictures on screen.
The exploit triggers an overflow in a common windows
component called the GDI+ Jpeg Decoder.
Vulnerability specifically resides in “gdiplus.dll”.
These attack images are not technically a virus.
Different windows applications frequently distribute their own
versions of GDI+.

Buffer Overflow

Application fails to check the size of input data before copying it
to memory.
Two types of buffer overflows :
Stack Overflow
Heap Overflow

Stack and Heap are memory regions used by a process for storing
various types of data.

Stack Overflow

When a process makes a function call, the address of the next
instruction, known as the return pointer, or RET is pushed onto
stack.
Function call parameters are pushed on after RET.
Execution then jumps to the address of the called function.

Heap Overflow

Region of memory used by a process for accommodating data of
sizes unknown at compile time.
Created within a process's virtual address space.
OS is responsible for heap management.
Malloc() or HeapAlloc()
Standard heap contains an array called Free List, used to track
the locations of free heap blocks.

GDI+ Jpeg Vulnerability

Jpeg format defines a no. of headers.
The vulnerability described in MS04-028 lies in how GDI+
handles the comment header.
Each header segment begins with a 2-bytes ID.
Comment header consist of COM marker(0xFFFE)
GDI+ calculates the comment length by 2 from the value of
length field.

GDI+ Jpeg Vulnerability

If length field specifies a comment length of 0 or 1, the GDI+
calculation results in a negative value.
1 – 2 = -1 ≡ 0xFFFFFFFF ≡ 4GB - 1
It is interpreted as a positive integer in excess of 4 billion.
Unsigned integer of 32 bit is used to store the length of the
comment data.

GDI+ Jpeg Vulnerability

The GDI+ routine for copying the comment data to the heap is :
rep mov [edi], [esi]
The ECX register is used as the counter.
GDI+ allows excessively large counter value.
GDI+ handles access violation by requesting additional heap
space to continue with rep mov
HeapAlloc() returns pointers to heap locations, which contains
the JPEG data.

GDI+ Jpeg Vulnerability

The exploit takes advantage of this to overwrite the Unhandled
Exception Filter Pointer.
Exploits may also use some form of win32_reverse shellcode
from of Metasploit Project Shellcode Repository.

Weitere ähnliche Inhalte

Ähnlich wie Microsoft GDI+ JPEG Integer Underflow Vulnerability

[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹

GangSeok Lee

Reconstructing Gapz: Position-Independent Code Analysis Problem

Alex Matrosov

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

DefCamp

The slides from Software Diagnostics Services .NET memory dump analysis training. The training description: "Covers 22 .NET memory dump analysis patterns plus additional 11 unmanaged patterns. Learn how to analyze CLR 4 .NET application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training consists of practical step-by-step exercises using Microsoft WinDbg debugger to diagnose patterns in 64-bit and 32-bit process memory dumps. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The third edition was fully reworked to use the latest WinDbg version and Windows 10. It also includes 9 optional legacy exercises from the previous editions covering CLR 2 and 4, Windows Vista and Windows 7. Prerequisites: Basic .NET programming and debugging. Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers and quality assurance engineers."

Accelerated .NET Memory Dump Analysis training public slides

Dmitry Vostokov

CDT: So you want me to use which debugger ... ? Deciphering the CDT debugger alphabet soup. Bruce Griffith John Cortell (Freescale Semiconductor) As the developer of an IDE based on CDT, you can choose to support: The GNU debugger (gdb) The Eclipse Debugger for C/C++ (EDC) Debug Services Framework (DSF) Target Communication Framework (TCF) agents How do you decide which ones are right for your application? This talk will present a guide describing how the current choices for remote debugging work together (or don’t) and a consumer’s view of the advantages of some of the possible combinations.

EclipseCon 2011: Deciphering the CDT debugger alphabet soup

Bruce Griffith

Parallel computation

Jayanti Prasad Ph.D.

Unmanaged Parallelization via P/Invoke

Dmitri Nesteruk

parallel-computation.pdf

C programming part2

C programming part2

C programming part2

A Collection of Examples of 64-bit Errors in Real Programs

Andrey Karpov

Data race

James Wong

Tutorial 37 API Coding

Max Kleiner

The coming of 64-bit processors to the PC market causes a problem which the developers have to solve: the old 32-bit applications should be ported to the new platform. After such code migration an application may behave incorrectly. The article is elucidating question of development and appliance of static code analyzer for checking out of the correctness of such application. Some problems emerging in applications after recompiling in 64-bit systems are considered in this article as well as the rules according to which the code check up is performed.

Static code analysis for verification of the 64-bit applications

PVS-Studio

A Collection of Examples of 64-bit Errors in Real Programs

PVS-Studio

Production Debugging at Code Camp Philly

Brian Lyttle

Managed DirectX

A. LE

Mirage: ML kernels in the cloud (ML Workshop 2010)

Anil Madhavapeddy

Csharp dot net

Revanth Mca

Ähnlich wie Microsoft GDI+ JPEG Integer Underflow Vulnerability (20)

[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹

Reconstructing Gapz: Position-Independent Code Analysis Problem

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012

Accelerated .NET Memory Dump Analysis training public slides

EclipseCon 2011: Deciphering the CDT debugger alphabet soup

Parallel computation

Unmanaged Parallelization via P/Invoke

parallel-computation.pdf

C programming part2

A Collection of Examples of 64-bit Errors in Real Programs

Data race

Tutorial 37 API Coding

Static code analysis for verification of the 64-bit applications

A Collection of Examples of 64-bit Errors in Real Programs

Production Debugging at Code Camp Philly

Managed DirectX

Mirage: ML kernels in the cloud (ML Workshop 2010)

Csharp dot net

Kürzlich hochgeladen

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Architecting Cloud Native Applications

WSO2

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Kürzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Architecting Cloud Native Applications

Data Cloud, More than a CDP by Matt Robison

Why Teams call analytics are critical to your entire business

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

MINDCTI Revenue Release Quarter One 2024

Artificial Intelligence Chap.5 : Uncertainty

Strategies for Landing an Oracle DBA Job as a Fresher

A Year of the Servo Reboot: Where Are We Now?

GenAI Risks & Security Meetup 01052024.pdf

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Corporate and higher education May webinar.pptx

FWD Group - Insurer Innovation Award 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Powerful Google developer tools for immediate impact! (2023-24 C)

How to Troubleshoot Apps for the Modern Connected Worker

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Microsoft GDI+ JPEG Integer Underflow Vulnerability

1. Principles Of Secure Coding JPEG Integer Underflow Microsoft Security Bulletin MS04-028 Ashish Malik 1731110017

2. Microsoft JPEG Vulnerability Jpeg's themselves are not the problem however. Problem lies in the application that reads this information and displays the pictures on screen. The exploit triggers an overflow in a common windows component called the GDI+ Jpeg Decoder. Vulnerability specifically resides in “gdiplus.dll”. These attack images are not technically a virus. Different windows applications frequently distribute their own versions of GDI+.

3. Buffer Overflow Application fails to check the size of input data before copying it to memory. Two types of buffer overflows : Stack Overflow Heap Overflow Stack and Heap are memory regions used by a process for storing various types of data.

4. Stack Overflow When a process makes a function call, the address of the next instruction, known as the return pointer, or RET is pushed onto stack. Function call parameters are pushed on after RET. Execution then jumps to the address of the called function.

5. Stack Overflow

6. Stack Overflow

7. Heap Overflow Region of memory used by a process for accommodating data of sizes unknown at compile time. Created within a process's virtual address space. OS is responsible for heap management. Malloc() or HeapAlloc() Standard heap contains an array called Free List, used to track the locations of free heap blocks.

12. GDI+ Jpeg Vulnerability Jpeg format defines a no. of headers. The vulnerability described in MS04-028 lies in how GDI+ handles the comment header. Each header segment begins with a 2-bytes ID. Comment header consist of COM marker(0xFFFE) GDI+ calculates the comment length by 2 from the value of length field.

13. GDI+ Jpeg Vulnerability If length field specifies a comment length of 0 or 1, the GDI+ calculation results in a negative value. 1 – 2 = -1 ≡ 0xFFFFFFFF ≡ 4GB - 1 It is interpreted as a positive integer in excess of 4 billion. Unsigned integer of 32 bit is used to store the length of the comment data.

14. GDI+ Jpeg Vulnerability The GDI+ routine for copying the comment data to the heap is : rep mov [edi], [esi] The ECX register is used as the counter. GDI+ allows excessively large counter value. GDI+ handles access violation by requesting additional heap space to continue with rep mov HeapAlloc() returns pointers to heap locations, which contains the JPEG data.

15. GDI+ Jpeg Vulnerability The exploit takes advantage of this to overwrite the Unhandled Exception Filter Pointer. Exploits may also use some form of win32_reverse shellcode from of Metasploit Project Shellcode Repository.

16. Q&A Thank You

Microsoft GDI+ JPEG Integer Underflow Vulnerability

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Microsoft GDI+ JPEG Integer Underflow Vulnerability

Ähnlich wie Microsoft GDI+ JPEG Integer Underflow Vulnerability (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Microsoft GDI+ JPEG Integer Underflow Vulnerability